A call processing server in an Internet Protocol (IP) network needs to survive Denial of Service (DoS) attacks while still completing and processing phone calls. A DoS attack refers to some sort of condition that causes the call processing server to inappropriately deny or drop a legitimate call request due to overload with unauthorized requests. For example, a DoS attack may consist of one or more unauthorized sources flooding the call processing server with call requests.
In one specific example, a Session Initiated Protocol (SIP) server mediates SIP sessions for setting up IP phone calls. The SIP session includes call signaling that may request the initiation or termination of a phone call, request something from the SIP server after the call is already established, or make a request to the SIP server unrelated to any call. The SIP server may deny the request if the source of the SIP signaling is unauthorized to make the call or if the source has requested too many call connections.
A substantial amount of resources may be consumed by the call processing server for authenticating and authorizing call requests. If the call processing server is flooded with these unauthorized call requests (DoS attack), the call processing server can become congested and not process other authorized call requests.
Schemes currently exist for addressing congestion in network processing devices. For example, Random Early Detection (RED) is a high-speed congestion avoidance mechanism that responds to network congestion by dropping packets at a selected rate. The RED scheme starts dropping packets before the network device becomes overloaded. This allows a sender of TCP/IP traffic to back-off from a current transmission rate averting a persistent congestion condition.
A Weighted Random Early Detection (WRED) scheme provides a more intelligent classification of the TCP/IP traffic than RED. For example, certain sources of traffic can be assigned a higher priority that other sources of network traffic. This allows packets to be dropped from particular sources that may flood the network processing device.
RED and WRED have in prior art been applied at the packet level in intermediate switching and routing devices. Neither are directly applicable to handling requests in servers, nor to the function of mitigating denial of service attacks.